from the dysfunction-junction dept

So we've noted that the FTC's settlement over the Equifax hack that exposed the public data of 147 million Americans is a bit of a joke. The FTC originally promised that impacted users would be able to nab 10 years of free credit reporting or a $125 cash payout if users already subscribed to a credit reporting service. But it didn't take long for the government to backtrack, claiming it was surprised by the number of victims interested in modest compensation, while admitting the settlement failed to set aside enough money to pay even 248,000 of the hack's 147 million victims.

This week, the Equifax Settlement Administrator sent out an email doubling down on the dysfunction, demanding that users who applied for their $125 prove they already have credit monitoring services. Users are being told they need to prove they subscribe to such services by October 15, or they won't get the money. Worse perhaps, the notice reiterates that even if you can prove you subscribe to credit monitoring services, you probably won't get anywhere near $125 because the settlement failed to set aside enough money to fulfill even a fraction of its promise:

"This latest email again reminds users that even if you can prove you have credit reporting already, you still may not get the full $125 thanks to the limitations of the settlement. In response to what it’s calling “overwhelming” demand, the FTC also urges those who submitted a claim for $125 switch to the free credit reporting offer instead."

One problem is that "free credit monitoring" is largely a useless perk. Such services are routinely doled out for free every time there's a major hack or privacy breach, which drop at a rate of around once a week now. Usually these services are included as a settlement freebie to make the settlement itself seem more substantive than it actually is. But the other major problem is that the FTC and its settlement partners gave the impression that users would at least get $125 for their troubles, set aside a tiny fraction of the money they'd need, then acted shocked when users signed up.

Most of the legal experts I've talked to about this say it would have been fairly easy to strike a more productive, less chaotic settlement. Instead of free credit reporting, the settlement could have simply requested victims have their credit reporting temporarily frozen (until needed), something which costs nothing. And while it still may have been underwhelming, the settlement also could have promised individual users a cash payout they could have actually met. The general consensus remains that the settlement, as structured, teeters somewhere between negligence and incompetence:

"James Grimmelmann, a professor of law at Cornell Tech and Cornell Law School told Motherboard the FTC’s failure to predict the public’s interest teeters toward negligence.
“Even a single-digit percentage claim rate for this one would have exhausted the $31 million 50 times over,” he says. “It was negligent on the part of the FTC not to expect that more victims would choose the cash payment in a case this prominent and this egregious, instead of the worthless credit monitoring.”

Users can still apply for up to $20,000 in compensation if they can clearly prove the hack directly contributed to concrete harm like identity theft, but by and large the settlement is the poster child for meaningless privacy wrist slaps. Outside of bad press coverage, there's absolutely nothing here that would deter Equifax from future lax security and privacy practices, and consumers get little to compensate them for what is one of the biggest data breaches in American history. The FTC's primary function appears to have been to act as a PR proxy for Equifax's reputation, primarily by pretending the company had been held accountable via a "record" fine, inflated to appear far more meaningful than it actually is.

from the say-what-now dept

Last week there was a bit of news as the FTC released a proposed settlement between the FTC and Equifax over the data brokers' massive security breach that came to light nearly two years ago. We had already noted that the FTC's way of dealing with Equifax seemed particularly tone deaf, but it's getting worse. Much worse. As you may have heard, part of the "settlement" with Equifax is that you could sign up to get $125 from the company (or possibly more). It was either that or free credit monitoring. But, come on: everyone already has so many "free credit monitoring" services from previous breaches that this is a totally meaningless offer. It also costs nothing for Equifax.

So, over the past week or so a ton of (helpful) news sites have been posting explainers on how to get your $125. Except... apparently too many people signed up and now the FTC is helping Equifax by telling people not to ask for money from the company any more. First, the FTC literally deleted that option from its website:

Then, it posted a blog post and a statement both of which encourage people not to ask for money -- and arguing that the credit monitoring that no one needs is a "better deal."

The public response to the settlement has been overwhelming, and we’re delighted that millions of people have visited ftc.gov/Equifax and gone on to the settlement website’s claims form.

But there’s a downside to this unexpected number of claims. First, though, the good: all 147 million people can ask for and get free credit monitoring. There’s also the option for people who certify that they already have credit monitoring to claim up to $125 instead. But the pot of money that pays for that part of the settlement is $31 million. A large number of claims for cash instead of credit monitoring means only one thing: each person who takes the money option will wind up only getting a small amount of money. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.

So, if you haven’t submitted your claim yet, think about opting for the free credit monitoring instead. Frankly, the free credit monitoring is worth a lot more – the market value would be hundreds of dollars a year.

Of course, the proper response to this is for the FTC to recognize that a $31 million pot for settlements here was way too small. Remember, this is the same organization that was being criticized for "only" dinging Facebook for $5 billion for privacy violations that one could argue were significantly less egregious and damaging as Equifax's breach. The fact that the FTC thinks its job here is now to act as PR shop for Equifax, rather than to maybe go back to the drawing board is pretty telling.

The overwhelming response seems like a good indication that the proposed settlement is not fair, reasonable, and adequate, and that the court should reject it. Objections are due by November 19, and there is a fairness hearing on December 19. https://t.co/sAAxvhnlaThttps://t.co/gfpFIYuM6M

This is pretty damning towards the FTC. If they built a settlement structure that only works if few of the people impacted claim it, then the settlement is objectively ridiculous. Either users who had their data leaked deserve $125 or they don't. The entire structure of setting up a $31 million pool, such that if the people impacted actually claim their money they get less of it, is just mindbogglingly pointless.

from the bad-cops-and-bad-corps dept

Data breaches occur daily, affecting thousands of people. And everyone shrugs and moves on with their lives, especially those running the affected companies. Why? Because nothing ever happens to companies which have carelessly exposed data, as Cory Doctorow points out:

Why does this keep happening? Because it's affordable. In 2014, Home Depot breached more than 50,000,000 credit-cards; in 2016, they paid less than $0.34/customer in restitution.

There are longer-term reputational costs associated with breaches, but these are not generally factored into the quarterly-earnings-focused mindsets of corporate execs and strategists.

Two of the most damaging breaches in recent years involved millions of people who were given little or no choice in how much personal data of theirs was held by these entities. One was the Office of Personnel Management. Those seeking government jobs turn over a lot of info to the government, which then handles it carelessly.

The other -- Equifax -- was even worse, at least in terms of consent. There was none. No one voluntarily hands information to Equifax. It's gathered by Equifax which sells access to any number of companies seeking credit records. No one opts in and, more importantly, there's no way to opt out.

No one can hold these entities accountable, at least not to the extent it will deter future breaches. Because of that, the only thing we're guaranteed is more breaches. These companies and agencies will continue to exist, hoovering up even more personal data, and, eventually, leave it exposed where criminals can make the most of other people's finances.

From one wheelhouse to another, the same can be said for law enforcement agencies and police misconduct. In almost every case, a police officer sued for rights violations pays nothing for the wrongs committed. Neither does the agency employing the officer. This is from a study of police indemnification published by the New York University Law Review:

During the study period, governments paid approximately 99.98% of the dollars that plaintiffs recovered in lawsuits alleging civil rights violations by law enforcement. Law enforcement officers in my study never satisfied a punitive damages award entered against them and almost never contributed anything to settlements or judgments—even when indemnification was prohibited by law or policy, and even when officers were disciplined, terminated, or prosecuted for their conduct.

Officers are never made to personally feel the pain of a settlement. The officer often returns to work with only the minor black mark of a lost lawsuit on their record. Consequently, the violations continue because officers have nothing at stake. If they screw up, another government entity picks up the tab using taxpayer dollars.

The solution to this problem isn't as readily apparent as it might seem. Personal indemnification -- forcing officers to be held personally responsible for settlements stemming from rights violations -- seems like a good deterrent, but it has its downsides. Scott Greenfield has examined the issue and the flaws are right below the satisfying gloss covering the surface.

Often, the argument is that the solution to police violence is to make the cop personally liable for his conduct, shift the incentive system from the municipality, or more accurately its taxpayers, to the bad dude who did the dirty. Make him suffer.

The problem is that the cop may be judgment proof. If the cop has no wealth or assets, there is no fund from which to collect a judgment. You can’t get blood from a rock.

While this may be an effective deterrent, it doesn't do anything to make the plaintiff whole. Having a city cover the cost ensures the victim will be paid, but it lets the officer off the hook.

What's the solution? Perhaps it's a sharing of the burden. Officers could be made to carry their own litigation insurance. This would eliminate the free pass of outside indemnification by making every act of misconduct count. Get sued often enough and the insurance company will drop the officer. An officer without insurance is pretty much unemployable.

It's also a win for officers, who would no longer gripe about cities settling too easily with plaintiffs and other besmirching the barrel of apples by proxy. Sure, they won't be nearly as vocal about it when their own insurance coverage is on the line, but it will put their own insurance premiums where their mouths are, which would be small victory in and of itself.

Circling back outside to the original wheelhouse, what can be done to make companies actually care about data breaches? So far, nothing seems to be slowing the flow of carelessly exposed data. Doctorow has a suggestion, and it runs along the lines of the solution that (might!) work for law enforcement:

If companies were paying out damages commensurate with the social costs their data recklessness imposes on the rest of us, it would have a very clarifying effect on their behavior -- insurers would get involved, refusing to write E&O policies for board members without massive premium hikes, etc. A little would go a long way, here.

There are no perfect solutions. But we simply shouldn't settle for the status quo. Neither group will welcome increased accountability, but there's simply no reason we should continue to let them skate, either.

from the ostrich-style dept

In the wake of the Equifax breach, there has been some discussion about just how quickly companies should publicly disclose when they have been victims of security breaches that reveal client information. In the case of Equifax, the company had essentially been sitting on the knowledge that it was attacked since July before going public in early September. Something like two months, in other words. While most people agree that victim companies should have some time to get their houses in order before opening the window shades, two months seemed like a lot, given the severity of the attack and the number of potential victims among Equifax's clients.

But two months is nearly lightning quick compared with Deloitte, the enormous accounting firm that discovered it was the victim of an attack in March and only bothered to tell the public, along with most of its clients, this week.

One of the largest private firms in the US, which reported a record $37bn (£27.3bn) revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.

The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments. So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.

Now, Deloitte may have discovered the breach in March, but there have been whispers that the attackers may actually have pulled all this off in October of last year. The attack was pulled off by accessing an administrator account that lacked anything resembling two-factor authentication, all hosted on Microsoft's Azure cloud service, and potentially exposing every sort of client data ranging from passwords and IP addresses to health information. The decision was made within Deloitte to only inform a few partners and legal staff within the company and a total of six Deloitte clients that the breach had even occurred. Most Deloitte staff and customers had no idea until these past few days.

And that decision could amount to a very real problem for the company, given that most US states and territories have security breach notification laws mandating when companies must tell clients when these sorts of attacks occur. If Deloitte has customers outside of the six it has informed in any of those states or territories, which is a virtual certainty, and those clients' information was exposed by this attack, Deloitte could be in violation of all kinds of state laws for failing to inform those customers what had happened. Most of these laws frustratingly rely on ambiguous language as to how quickly clients or residents of the state should be informed of the breach -- there is all kinds of "in the most expedient time possible" and "without unreasonable delay" language in these laws --, but it would be patently absurd for Deloitte to suggest that 6 months time meets any of those requirements.

In fact, Deloitte won't even acknowledge if it has ever contacted law enforcement about the breach.

Deloitte declined to say which government authorities and regulators it had informed, or when, or whether it had contacted law enforcement agencies.

Now, for its part, Deloitte is making much of its ability to perform an internal review of the breach and the contracted security firms its engaged, all while stating that it has allowed them to pinpoint exactly what data was accessed and what wasn't, and that the amount actually accessed is very small. Except it's hard to take on faith the cyber-sleuthing capabilities when the firm has been so opaque about the breach thus far, and at least some of the notification laws require notification upon breach, not upon actual data acquisition.

If nothing else, it should be clear that covering this stuff up and trying to pretend it never happened is no way to do security.

from the what-the-actual-fuck dept

So, yes, by now you know all about the whole Equifax hack and how really, really terrible it is. Lots of sites have been posting various stories about what you should do about it, when the truth is you really can't do much. A lot of people are likely going to deal with an awful lot of bad stuff almost entirely because of this leak by Equifax. Not surprisingly, the FTC has weighed in with some suggestions, most of which won't actually help very much. Most of them are the standard suggestions everyone's giving -- including checking your credit reports, putting a credit freeze on your files and basically watching very closely to see if you're fucked over by whoever has access to these files.

But the FTC's very last suggestion is the one I wanted to focus on today. It's basically "um, well, maybe try to file your tax returns early next year, so you beat hackers trying to do the same?"

File your taxes early — as soon as you have the tax information you need, before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.

As someone who has been a victim of someone filing fake tax returns to try to get your refund, it's a really shitty process to go through. The problem here, though, is the whole setup of our tax system, which makes it pretty damn easy for someone to fake your tax returns -- now made even easier thanks to this breach. If the FTC really wanted to help, it should be pushing for a complete overhaul of how tax filing works, such that merely knowing your Social Security Number and address isn't enough to file tax returns in your name. Among the many problems here, it starts with the idiotic idea that we use SSNs as an identity tool -- but there's also the fact that we continue to have the IRS force every American to play a guessing game with their taxes just to keep tax prep companies like Intuit and H&R Block happy.

I recognize that the FTC isn't directly in a position to fix this, but the fact that it's best suggestion is "race the hackers to filing your tax returns and hope you get there first" should highlight just how totally fucked up our income tax system is in the US.

from the hang-on... dept

Okay, chances are you've already heard about the massive security breach at Equifax, that leaked a ton of important data on potentially 143 million people in the US (basically the majority of adults in America). If you haven't, you need to pay more attention to the news. I won't get into all the details of what happened here, but I want to follow a few threads:

First, Equifax had been sitting on the knowledge of this breach since July. There is some dispute over how quickly companies should disclose breaches, and it makes sense to give companies at least some time to get everything in order before going public. But here it's not clear what Equifax actually did. The company has seemed almost comically unprepared for this announcement in so many ways. Most incredibly, the site that Equifax set up for checking if your data has been compromised (short answer: yeah, it almost certainly was...) was on a consumer hosting plan using a free shared SSL certificate, a funky domain and an anonymous Whois record. And, incredibly, it asked you for most of your Social Security Number. In short, it's set up in a nearly identical manner to a typical phishing site. Oh and it left open the fact that the site had only one user -- "Edelman" -- the name of a big PR firm.

Not surprisingly, it didn't take long for various security tools to warn that the site wasn't safe.

Said site is now unsurprisingly being flagged as suspicious by OpenDNS (and probably others) 🤦‍♂️🤦‍♂️🤦‍♂️ pic.twitter.com/JZOIgSQpRo

And, when Equifax pushed people to its own "TrustedID" program to supposedly check to see if you were a victim of its own failures... it just started telling everyone yes no matter what info they put in:

Just wow. If you enter "Test" and "123456" on Equifax's hack checker page, it says your data has been breached. pic.twitter.com/cTjTs7Frjv

So, yeah, what the hell did Equifax do during those six weeks it had to prepare? Oh, well, a few of its top execs used the delay to sell off stock, which may put them in even more hot water (of the criminal variety). Also, just days before it revealed the breach, and long after it knew of it, the company was talking up how admired its CEO is. This is literally the last tweet from Equifax prior to tweeting about the breach (screenshotted, because who knows how long it'll last):

I can't see any scenario under which Smith keeps his job. And it seems likely that many other execs are going to be in trouble as well. Beyond the possible insider trading above, there's already scrutiny on its corporate VP and Chief Legal Officer, John J. Kelley, who made $2.8 million last year and runs the company's "security, compliance, and privacy" efforts.

And despite six weeks to prepare for this, the following was Equifax's non-apology:

We apologize to our consumers and business customers for the concern and frustration this causes.

That's a classic non-apology. It's not apologizing for its own actions. It's not apologizing for the total mess it's created. It's just apologizing if you're "concerned and frustrated."

Oh, and did we mention that the very morning of the day that Equifax announced the breach, it tweeted out about a newsletter it published about how "safeguarding valuable customer data is critical." Really (again, screenshotted in case this disappears):

What the fuck, Equifax? Should we even mention that Equifax has been a key lobbying force against data breach bills? Those bills have some problems... but, really, it's not a good look following all of this.

And while there was some concern that signing up to check to see if you were a victim (again: look, you probably were...) would force you out of being a part of any class action lawsuit, that's since been "clarified" to not apply to any class action lawsuits over the breach. And you better believe that the company is going to be facing one heck of a class action lawsuit (a bunch are being filed, but they'll likely be consolidated).

That's all background of course. What I really wanted to discuss is how this will almost certainly get worse before it gets better. More than twelve years ago, I wrote that every major data breach is later revealed to be worse than initially reported on. This has held true for years and years. The initial analysis almost always underplays how serious the leak is or how much data is leaked. Stay tuned, because there's a very high likelihood we'll find out that either more people were impacted or that more sensitive information is out there.

And that should be a major concern, because what we already know here is stunning. As Michael Hiltzik at the LA Times noted, this is the mother lode of data if you want to commit all sorts of fraud:

The data now at large includes names, Social Security numbers, birthdates, addresses and driver’s license numbers, all of which can be used fraudulently to validate the identity of someone trying to open a bank or credit account in another person’s name.

In some cases, Equifax says, the security questions and answers used on some websites to verify users’ identity may also have been exposed. Having that information in hand would allow hackers to change their targets’ passwords and other account settings.

Other data breaches may have been bigger in terms of total accounts impacted, but it's hard to see how any data breach could have been this damaging. For over a decade, we've pointed out that credit bureaus like Equifax are collecting way too much data, with zero transparency. In fact, back in 2005, we wrote about Equifax itself saying that it was "unconstitutional and un-American" to let people know what kind of information Equifax had on them. The amount of data that Equifax and the other credit bureaus hold is staggering -- and as this event shows, they don't seem to have much of a clue about how to actually secure it.

At some point, we need to rethink why we've given Equifax, Experian and TransUnion so much power over so much of our everyday lives. You can't opt-out. They collect most of their data without us knowing and in secret. You can't avoid them. And now we know that at least one of them doesn't know how to secure that data.